validating digital signatures in adobe - signfiles.com · adobe certified document services ......

28
Validating Digital Signatures in Adobe Table of Contents Validating Digital Signatures in Adobe......................................................................................................1 1. Certificates Recognized “Trusted by default” in Adobe................................................................... 3 2. Add the Root Certificate on Adobe Trusted Identities...................................................................... 4 3. Validate the Signature using Windows Integration........................................................................... 9 4. Export/Import the FDF (Acrobat Forms Data Format)...................................................................13 5. Validate Adobe Timestamps............................................................................................................ 19 6. Other Validation Settings.................................................................................................................24 Usually, the digital certificates are issued by a Root CA (Certification Authority). If the Root CA that issued the signing certificate is not included in Adobe Trusted Identities, the digital signature is considered "not trusted" (but NOT invalid) when the document is opened in Adobe Reader (see example below). This behavior has nothing to do with the signing engine (e.g. PDF Signer, Adobe Reader) but with the Adobe certificate validation procedure. The recipient must manually add the Root Certificate of the signing certificate on Adobe Trusted Identities because not all Root CA's are considered trusted by default by the Adobe certificate validation engine (See this article: https://helpx.adobe.com/acrobat/kb/trust-services.html ). Page 1 - Validating Digital Signatures in Adobe The digital signature in not trusted

Upload: tranxuyen

Post on 05-Jun-2018

220 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

Validating Digital Signatures in Adobe

Table of ContentsValidating Digital Signatures in Adobe......................................................................................................1

1. Certificates Recognized “Trusted by default” in Adobe...................................................................32. Add the Root Certificate on Adobe Trusted Identities......................................................................43. Validate the Signature using Windows Integration...........................................................................94. Export/Import the FDF (Acrobat Forms Data Format)...................................................................135. Validate Adobe Timestamps............................................................................................................196. Other Validation Settings.................................................................................................................24

Usually, the digital certificates are issued by a Root CA (Certification Authority).

If the Root CA that issued the signing certificate is not included in Adobe Trusted Identities, the digitalsignature is considered "not trusted" (but NOT invalid) when the document is opened in Adobe Reader(see example below).

This behavior has nothing to do with the signing engine (e.g. PDF Signer, Adobe Reader) but withthe Adobe certificate validation procedure.

The recipient must manually add the Root Certificate of the signing certificate on Adobe TrustedIdentities because not all Root CA's are considered trusted by default by the Adobe certificatevalidation engine (See this article: https://helpx.adobe.com/acrobat/kb/trust-services.html).

Page 1 - Validating Digital Signatures in Adobe

The digital signature in not trusted

Page 2: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

Page 2 - Validating Digital Signatures in Adobe

The digital signature is not trusted

Page 3: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

1. Certificates Recognized “Trusted by default” in Adobe

Adobe European Union Trust List (EUTL)

If the digital certificate is issued by an eIDAS accredited Certification Authority, the signature will appear as valid in Adobe by default. An eIDAS certificate can be obtained from one of these Service Providers:https://webgate.ec.europa.eu/tl-browser/#/

Adobe Authorized Trust List (AATL)

The Adobe Approved Trust List (AATL) is the largest Trust Service for electronic documents in the world.

Service Providers: https://helpx.adobe.com/acrobat/kb/approved-trust-list1.html

Adobe Certified Document Services (CDS)

Certified Document Services (CDS) is a Trust Service enabled by the Adobe Root Certificate Authority.

Service Providers: https://helpx.adobe.com/acrobat/kb/certified-document-services.html

Page 3 - Validating Digital Signatures in Adobe

A digital signature performed with an eIDAS digital certificate

Page 4: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

2. Add the Root Certificate on Adobe Trusted IdentitiesSome of the Root CA's are included by default in Windows Certificate Store (Trusted RootCertification Authorities) and only a few are included in Adobe Trusted Identities.

Because the Root CA of the signing certificate is not included on Adobe Trusted Identities, thesignature is considered “not trusted” (but NOT invalid).

To manually add the Root Certificate on the Adobe Trusted Identities, open the signature properties and

Page 4 - Validating Digital Signatures in Adobe

Signature is not trusted

Page 5: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

click Show Certificate and select Trust tab.

Be sure that you have selected the topmost Root Certificate.

Page 5 - Validating Digital Signatures in Adobe

Trust a CA certificate

Page 6: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

Press Add to Trusted Identities tab and be sure you have checked all checkboxes, as below.

Page 6 - Validating Digital Signatures in Adobe

Trust a CA certificate

Page 7: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

After all dialog boxes are closed and the document is re-opened, the signature is considered Valid.

Page 7 - Validating Digital Signatures in Adobe

Valid digital signature

Page 8: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

The Root Certificate is now Trusted and all signatures generated with this Root Certificate will be alsoTrusted.

Page 8 - Validating Digital Signatures in Adobe

Trusted Root Certificate

Page 9: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

3. Validate the Signature using Windows IntegrationYou can use this method if your digital certificate is issued by a Root CA already installed on MicrosoftCertificate Store. Microsoft and Adobe use different Certificate Stores and different certificatevalidation procedures.

To see if your Root CA is installed on Microsoft Certificate Store, go to Start – Run – certmgr.msc

Page 9 - Validating Digital Signatures in Adobe

Page 10: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

You can also import your Root Certificate here.

Page 10 - Validating Digital Signatures in Adobe

Page 11: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

After you check that your Root Certificate is installed, in Adobe Reader go to Edit menu – Preferencesoption – Security tab – click on Advanced Preferences button – Windows Integration tab and check allcheckboxes.

Page 11 - Validating Digital Signatures in Adobe

Page 12: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

When the document is re-opened, the digital signature is considered valid.

Page 12 - Validating Digital Signatures in Adobe

Valid Signature

Page 13: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

4. Export/Import the FDF (Acrobat Forms Data Format)In order to avoid to manually add the Root Certificate on every client machine, the Root Certificate canbe exported as Adobe FDF file. Once the file is exported, it can be installed on every machine wherethe digital signatures must be verified.

The FDF file can be exported from the Digital signature properties – Certificate section. Be sure theRoot Certificate is selected and not the signing certificate.

Page 13 - Validating Digital Signatures in Adobe

Page 14: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

On the next window select Acrobat FDF data Exchange, as below:

Page 14 - Validating Digital Signatures in Adobe

Page 15: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

Save the FDF file.

Page 15 - Validating Digital Signatures in Adobe

Page 16: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

The signature before importing the FDF file is considered “not trusted”, like below:

To install the FDF file on the computer where the signature must be validated, open the FDF file, pressSet Contact Trust button and check all checkboxes, as below:

Page 16 - Validating Digital Signatures in Adobe

Page 17: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

Import the FDF file.

Page 17 - Validating Digital Signatures in Adobe

Page 18: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

After the FDF file is imported, the signature is considered Trusted.

Page 18 - Validating Digital Signatures in Adobe

Page 19: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

5. Validate Adobe TimestampsAn Adobe Timestamp is in fact a subsequent signature added to the PDF signature so to validate anAdobe Timestamp simply follow the instructions from the section above.

Page 19 - Validating Digital Signatures in Adobe

Timestamp in not trusted

Page 20: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

Go to Date/Time Tab and display the Timestamp Authority certificate.

Page 20 - Validating Digital Signatures in Adobe

Page 21: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

Press Add to Trusted Identities button

Page 21 - Validating Digital Signatures in Adobe

Page 22: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

Be sure you have checked all checkboxes, as below.

Page 22 - Validating Digital Signatures in Adobe

Page 23: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

After all dialog boxes are closed and the document is re-opened, the timestamp is considered Valid.

Page 23 - Validating Digital Signatures in Adobe

Page 24: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

6. Other Validation SettingsIn some cases, the digital signature cannot be correctly validated because of some reasons like:- Internet Connection is not available- Proxy Settings cannot be set on Adobe- CRL/OCSP revocation information cannot be downloaded or are not available.

On this case, even if the digital signature is trusted and valid, Adobe will consider this signature “nottrusted” because the revocation information cannot be obtained.

This section can be applied when you will get one of the following messages:

Page 24 - Validating Digital Signatures in Adobe

OCSP revocation server is not available

Page 25: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

CRL revocation list is not available.

Page 25 - Validating Digital Signatures in Adobe

Page 26: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

The digital signature is considered not trusted even if the signature is not altered.

Page 26 - Validating Digital Signatures in Adobe

Page 27: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

To avoid this behavior, Adobe must be configured to bypass this additional revocation checking.

Go to Edit menu – Preferences option – Security tab – click on Advanced Preferences button –Verification tab and set the interface as below:

Page 27 - Validating Digital Signatures in Adobe

Page 28: Validating Digital Signatures in Adobe - signfiles.com · Adobe Certified Document Services ... Page 3 - Validating Digital Signatures in Adobe A digital signature performed with

After this settings was saved, the document is considered valid by Adobe.

Page 28 - Validating Digital Signatures in Adobe